All systems containing customer information should undergo vulnerability scans at least once a month. Any critical or high issues should be documented in accordance with your change management policy and remediated in a timely manner.
In-scope web applications must be scanned. We’d recommend tools such as SonarCloud, Snyk Acunetix, Burpe Suite (by PortSwigger), and Zaproxy.
We recommend performing static and dynamic application security testing on in-scope production code. Below are recommendations based on the tools you use:
- If using GitHub, you can utilize the built-in and open source tool, CodeQL, to query your code and find vulnerabilities
- If using Gitlab, you can utilize the CI/CD suite, performing various types of scans including SAST, DAST, API fuzzing, etc.
- If using CircleCI, there are several ways to integrate leading DevOps security tools to conduct code scans
There are several other open source tools. Check our our recommendations for open-source DAST or SAST tools here.